Analysis
-
max time kernel
165s -
max time network
258s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 18:05
Behavioral task
behavioral1
Sample
6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe
Resource
win10v2004-20220812-en
General
-
Target
6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe
-
Size
36KB
-
MD5
f2ee5fac443bc271ea8dffc4759ad104
-
SHA1
2e0b54d11a13b114cfd203b1679e251482b67794
-
SHA256
6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a
-
SHA512
4528b0eb86ae1e0b116496fa69fe1901a199a20a8524de60d798717bb7e5caaddc59163a06bf5a7e40455f9f6bf6ef6adbe87ddb9d1022cbafa3c1e908fc9834
-
SSDEEP
768:G9GEnDiAZ6vc4y1xP7jIFpaEuiXLiP6AluDAKCfIQJpxHN:GJnDiAOy1tjVfP6ZArg4pdN
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
mozgpitona@outlook.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4868 created 4788 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1488 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe\"" 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-125_contrast-white.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-200_contrast-black.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\readme-warning.txt 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-300.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeLessThan.snippets.ps1xml 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-125.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig.jpg 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-100.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_it.json 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-32_altform-unplated.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_star.m4a 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-fullcolor.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\CortanaCommands.xml 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-400.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-125.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_contrast-white.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File created C:\Program Files\Microsoft Office\root\Office16\1036\readme-warning.txt 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_altform-lightunplated.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\BuildInfo.xml 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.bat 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-125.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-high.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\5px.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-100.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Paint3D.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-black.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_32x32x32.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Snooze.scale-80.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-400_contrast-white.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\15.rsrc 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-100.png 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 372 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exepid process 4788 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe 4788 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 4868 svchost.exe Token: SeTcbPrivilege 4868 svchost.exe Token: SeBackupPrivilege 1608 vssvc.exe Token: SeRestorePrivilege 1608 vssvc.exe Token: SeAuditPrivilege 1608 vssvc.exe Token: SeBackupPrivilege 4248 wbengine.exe Token: SeRestorePrivilege 4248 wbengine.exe Token: SeSecurityPrivilege 4248 wbengine.exe Token: SeIncreaseQuotaPrivilege 1016 WMIC.exe Token: SeSecurityPrivilege 1016 WMIC.exe Token: SeTakeOwnershipPrivilege 1016 WMIC.exe Token: SeLoadDriverPrivilege 1016 WMIC.exe Token: SeSystemProfilePrivilege 1016 WMIC.exe Token: SeSystemtimePrivilege 1016 WMIC.exe Token: SeProfSingleProcessPrivilege 1016 WMIC.exe Token: SeIncBasePriorityPrivilege 1016 WMIC.exe Token: SeCreatePagefilePrivilege 1016 WMIC.exe Token: SeBackupPrivilege 1016 WMIC.exe Token: SeRestorePrivilege 1016 WMIC.exe Token: SeShutdownPrivilege 1016 WMIC.exe Token: SeDebugPrivilege 1016 WMIC.exe Token: SeSystemEnvironmentPrivilege 1016 WMIC.exe Token: SeRemoteShutdownPrivilege 1016 WMIC.exe Token: SeUndockPrivilege 1016 WMIC.exe Token: SeManageVolumePrivilege 1016 WMIC.exe Token: 33 1016 WMIC.exe Token: 34 1016 WMIC.exe Token: 35 1016 WMIC.exe Token: 36 1016 WMIC.exe Token: SeIncreaseQuotaPrivilege 1016 WMIC.exe Token: SeSecurityPrivilege 1016 WMIC.exe Token: SeTakeOwnershipPrivilege 1016 WMIC.exe Token: SeLoadDriverPrivilege 1016 WMIC.exe Token: SeSystemProfilePrivilege 1016 WMIC.exe Token: SeSystemtimePrivilege 1016 WMIC.exe Token: SeProfSingleProcessPrivilege 1016 WMIC.exe Token: SeIncBasePriorityPrivilege 1016 WMIC.exe Token: SeCreatePagefilePrivilege 1016 WMIC.exe Token: SeBackupPrivilege 1016 WMIC.exe Token: SeRestorePrivilege 1016 WMIC.exe Token: SeShutdownPrivilege 1016 WMIC.exe Token: SeDebugPrivilege 1016 WMIC.exe Token: SeSystemEnvironmentPrivilege 1016 WMIC.exe Token: SeRemoteShutdownPrivilege 1016 WMIC.exe Token: SeUndockPrivilege 1016 WMIC.exe Token: SeManageVolumePrivilege 1016 WMIC.exe Token: 33 1016 WMIC.exe Token: 34 1016 WMIC.exe Token: 35 1016 WMIC.exe Token: 36 1016 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
svchost.exe6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.execmd.exedescription pid process target process PID 4868 wrote to memory of 4188 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe PID 4868 wrote to memory of 4188 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe PID 4868 wrote to memory of 4188 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe PID 4868 wrote to memory of 4188 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe PID 4868 wrote to memory of 4188 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe PID 4868 wrote to memory of 4188 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe PID 4868 wrote to memory of 4188 4868 svchost.exe 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe PID 4788 wrote to memory of 1064 4788 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe cmd.exe PID 4788 wrote to memory of 1064 4788 6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe cmd.exe PID 1064 wrote to memory of 372 1064 cmd.exe vssadmin.exe PID 1064 wrote to memory of 372 1064 cmd.exe vssadmin.exe PID 1064 wrote to memory of 1488 1064 cmd.exe wbadmin.exe PID 1064 wrote to memory of 1488 1064 cmd.exe wbadmin.exe PID 1064 wrote to memory of 1016 1064 cmd.exe WMIC.exe PID 1064 wrote to memory of 1016 1064 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe"C:\Users\Admin\AppData\Local\Temp\6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe"C:\Users\Admin\AppData\Local\Temp\6a845a5bbfabda4d9a5153444718b0426c9a2cf7f23f9ee87cae34d2c594400a.exe" n47882⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)